On October 30th 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine of around 14.5 million Euros against Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR).
During on-site inspections in June 2017 and March 2019, the supervisory authority found that the company used an archive system for the storage of personal data of tenants that did not provide the possibility of removing data that was no longer required. Personal data of tenants was stored without checking whether storage was permissible or even necessary. In some of the individual cases that were examined, it was therefore possible to find years-old private
data from tenants that were preserved although they were no longer necessary for the purpose of their original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements.
The Berlin Commissioner for Data Protection urgently recommended an adjustment of the archive system during the first inspection in 2017. Nevertheless, in March 2019, more than one and a half years after the first inspection and nine months after the start of application of the GDPR, the company was still unable to either demonstrate a clean-up of its database or present legal reasons for the continued storage. The company actually did make preliminary
preparations to remedy the deficiencies. However, those measures did not suffice to align the storage of personal data with the legal requirements. The imposition of a fine for an infringement of Article 25 (1) GDPR and Article 5 GDPR during the period between May 2018 and March 2019 was therefore mandatory.
The GDPR requires supervisory authorities to ensure that fines in each individual case are not only effective and proportionate, but also dissuasive. The starting point for the calculation of fines is therefore, among other things, the previous year's worldwide turnover of the companies concerned. Since annual turnover of Deutsche Wohnen SE exceeded 1.4 billion Euros according to its 2018 annual report, the legally prescribed limit for fines to be assessed for the type of data protection violation that was discovered was around 28 million Euros.
For the specific determination of the amount of the fine, the Berlin Commissioner for DataProtection has used the legal criteria, taking into account both aggravating and mitigating factors. The fact that Deutsche Wohnen SE had deliberately set up the archive structure in question and that the data concerned had been processed in an inadmissible manner over a long period of time was considered to be particularly aggravating. On the other hand, it was taken into account as a mitigating factor that the company took initial measures to remedy the illegal situation and cooperated formally well with the supervisory authority. In view of the fact that the company could not be proven to have misused access to the inadmissibly stored data, a fine of about half the upper limit was appropriate.
In addition to sanctioning this structural violation, the Berlin Commissioner for Data Protection imposed fines of between 6,000 and 17,000 Euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases as well.
The decision to impose a fine has not yet become final. Deutsche Wohnen SE has the right to lodge an appeal against the fine.
"Sadly, in the course of our supervisory practice, we frequently come across data graveyards like the one we found at Deutsche Wohnen SE. The significance of such abuses unfortunately only becomes clear when those masses of hoarded data are stolen and abused, for example due to cyber-attacks. But even without such serious consequences, we are dealing with a flagrant violation of the principles of data protection, which are intended to protect people from precisely such risks. It is gratifying that, adopting the GDPR, the legislator has introduced the possibility of sanctioning such structural deficiencies before the worst case scenario comes to pass. I recommend to all data controllers that they check their archive systems for compatibility with the GDPR".
To read the press release in German, click here
For further information, please contact the Berlin DPA: firstname.lastname@example.org